Using Shorewall with Squid

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

This page covers Shorewall configuration to use with Squid running as a Transparent
Proxy or as a Manual Proxy.

Caution

This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.

Caution

If your firewall is dual-stack, there are risks to using either
Transparent Proxy or TPROXY. Both break PMTU discovery for local clients
and can cause slow page loading and/or inability to connect to some
sites.

Squid as a Transparent (Interception) Proxy

Important

This section gives instructions for transparent proxying of HTTP.
HTTPS (normally TCP port 443) cannot be
proxied transparently (stop and think about it for a minute; if HTTPS
could be transparently proxied, then how secure would it be?).

It is a good idea to get Squid working as a manual proxy first before you try
transparent proxying.

The following instructions mention the file
/etc/shorewall/start - if you don't have that file, simply create
it.

When the Squid server is in the local zone, that zone must be
defined ONLY by its interface -- no /etc/shorewall/hosts file
entries. That is because the packets being routed to the Squid
server still have their original destination IP addresses.

You must have iptables installed on your Squid server.

Caution

In the instructions below, only TCP Port 80 is opened from the
system running Squid to the Internet. If your users require browsing
sites that use a port other than 80 (e.g.,
http://www.domain.tld:8080) then you
must open those ports as well.

Configurations

Three different configurations are covered:

Squid (transparent) Running on the Firewall

Squid (transparent) Running in the local Network

Squid (transparent) Running in a DMZ

Squid (transparent) Running on the Firewall

You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will
of course require access to remote web servers.

In some cases (when running an LTSP server on the Shorewall
system), you might want to transparently proxy web connections that
originate on the firewall itself. This requires care to ensure that
Squid's own web connections are not proxied.

Squid (transparent) Running in the local network

You want to redirect all local www connection requests to a
Squid transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also
be a web server running on 192.168.1.3. It is assumed that web access
is already enabled from the local zone to the Internet.

If you are still using a tcrules file, you should consider
switching to using a mangle file (shorewall update
-t (shorewall update on Shorewall 5.0
and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:

Squid3 as a Transparent Proxy with TPROXY

Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header and requires Squid 3 or
later. Because the IP header stays intact, TPROXY requires policy routing
to direct the packets to the proxy server running on the firewall. This
approach requires TPROXY support in your kernel and iptables and Squid 3.
See http://wiki.squid-cache.org/Features/Tproxy4.

Note

Support for the TPROXY action in shorewall-tcrules(5) and the
local option in shorewall-providers(5) has been
available since Shoreall 4.4.7. That support required additional rules
to be added in the 'start' extention script to make it work reliably.
Beginning with Shorewall 4.6.0, TPROXY in shorewall-tcrules(5) and
in shorewall-mangle(5) work as
described here.

The following configuration works with Squid running on the firewall
itself (assume that Squid is listening on port 3129 for TPROXY
connections).

Important

If you use TPROXY with both IPv4 and IPv6, then both your local
hosts and the gateway must have the same DNS view. If a client resolves
a website URL to an IPv6 address and the server can only resolve to an
IPv4 address, then Squid will attempt to connect to the IPv4 address
using the local client's IPv6 address. That clearly doesn't work.